Cyber risk controls
When If started looking into offering cyber security insurance, we carefully considered how our clients currently use IT in their businesses and how it has evolved over time, the risks threatening IT, and the controls available to mitigate the risks.
The use of IT systems has increased to automate processes
In the last 10 to 15 years, organisations have been using IT systems at an ever-increasing rate to automate business processes, make staff more effective and efficient, and provide new services to customers. Examples are enterprise resource planning systems, industrial control systems, logistic systems, e-commerce websites, autonomous vehicles, and smartphones.
IT systems have also become increasingly interconnected, not only within a given organisation, but also with systems in external networks that can be controlled by third parties.
Organisations have also shifted from buying equipment and having it serviced by its own employees or contractors to increasingly buying that capability from specialised suppliers. This includes using outsourcing or cloud service providers delivering their services from remote locations, or leasing maintenance and equipment placed at their own premises in order to maintain operational control.
What are also included here are mission-critical operational capabilities like logistics systems, and the monitoring and servicing of engines. Business drivers such as growth, profitability and competition drive this change to an ‘extended enterprise as it makes organisations better, faster, and cheaper.
However, this change also opens up organisations to new risks as they become increasingly dependent on interconnected IT systems and infrastructure exposing the organisation to new threats and vulnerabilities.
For instance, industrial control systems (e.g., SCADA, PLC), originally designed to operate in networks physically separated from all other systems, can, in the present day, be connected to various support systems for resource planning or logistics. These interconnected systems may be located in-house or in the cloud, have connections with remote systems managed by other providers, and be accessible from remote networks for remote monitoring and maintenance.
The tools and techniques used in cyber attacks, as well as the threat actors behind them, have also evolved. Nowadays, security breaches in high profile organisations are frequently headline news.
Cyber control frameworks and baselines
To help organisations implement risk driven security controls, security standards have been developed to control cyber risks. One of the most well-known is the ISO/IEC 27001¹ standard, which specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of an organisation's defined scope.
The latest version of this standard now applies the 'High-Level Structure' used in other ISO standards, for example, in ISO 9001(Quality Management) and ISO 22313 (Business Continuity Management). Alternatives exist such as the NIST (United States) and COBIT (ISACA) frameworks, and there are also frameworks developed for healthcare and financial institutions.
Having a framework helps organisations to identify their risks and then design, manage and review controls to mitigate the risks, but it does not tell the organisation what they are and how to deal with them. If one takes a phased approach when implementing a standard
focusing on key business processes as the first step, it is usually not a lengthy process to assess risk and establish the level of security controls already in place.
Organisations that are in a hurry, or for some reason cannot implement a cyber security standard or framework, should consider adapting a baseline describing a set of concise, prioritised cyber practices to stop the current most pervasive and dangerous cyber attacks.
Baselines defined over time especially for critical infrastructures are often available from national Computer Emergency Response Teams (CERT). As the risks to applications, systems, devices, and operators are more or less common risks, any organisation can profit from them. You can find your national CERT on the internet for example at; cert.dk, cert.fi, cert. no, and cert.se. Baselines and frameworks are also available from (state) sponsored non-profit organisations.
One of the most well-known control baselines is provided by the Center for Internet Security (cisecurity.org). They promote their CIS Critical Security Controls. And for operators of critical infrastructure, the NIST Cybersecurity Framework provides private sector organisations with a structure for assessing and improving their ability to prevent, detect and respond to cyber incidents.
The value of cyber controls
Did you know, that by applying just the first five (!) of the CIS Controls as 'hygiene', organisations can reduce the risk of a cyber attack by around 85 per cent!
Those top 5 controls are:
- CSC 1: Inventory of Authorized and Unauthorized Devices
- CSC 2: Inventory of Authorized and Unauthorized Software
- CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- CSC 4: Continuous Vulnerability Assessment and Remediation
- CSC 5: Controlled Use of Administrative Privileges
Regardless of the chosen approach to implement cyber security controls, they must be regularly assessed or tested in order to provide assurance that they work and that current risks are properly mitigated. It’s vital to conduct regular audits and tests, preferably by using skilled security penetration testers that simulate a cyber attack. Security penetration testers are trained to use the same kind of mindset, methodology and tools as cybercriminals, but in a controlled and non-destructive manner.
¹ ISO/IEC 27001:2013, an information security management system (ISMS) standard initially published in 2005, revised in 2013, by the International Organisation for Standardization (ISO) and the International Electrotechnical Commission (IEC)
Erik van der Heijden
Senior Risk Engineer, If
Cyber risk specialist, If